[Pkg-alsa-devel] Bug#294128: alsa-utils: Concerns due to unsafe /tmp usage in alsaconf

[Javier Fernández-Sanguino Peña]

--Q68bSM7Ycu6FN28Q
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: alsa-utils
Version: 1.0.8-1
Priority: important
Tags: security upstream

While doing a security audit review of Debian packages for unsafe usage of=
=20
/tmp I've found this in alsa-utils' alsaconf:

   CARDID_DB=3D/var/tmp/alsaconf.cards
    if [ ! -r $CARDID_DB ]; then
        use_modinfo_db=3D1
    fi
(...)
    if [ $use_modinfo_db =3D 1 ]; then
        xecho "Building card database.."
        build_card_db $CARDID_DB
    fi

build_card_db is a function in alsaconf that starts like this:

build_card_db () {
    MODDIR=3D/lib/modules/`uname -r`
    last_driver=3D""
    echo -n > $1
(...)

This code is prone to a race condition since the CARDID_DB file is not=20
created inmediately, but created later on. Since alsaconf can only be used=
=20
by root this means that a rogue local user could have root overwrite any=20
files through a symlink attack by exploiting that race condition. Notice,=
=20
also, that the test for CARDID_DB is [ -r ] when it should really be [ -e ]

I'm not sure how to best fix this (since CARDID_DB seems to be created=20
under /var/tmp so it's not removed after reboots) but it looks like it=20
should, at least, check if the file exists and create it inmediately=20
afterwards. Also, the script should use the 'noclobber' and -e options for=
=20
additional safety.

Regards

Javier

--Q68bSM7Ycu6FN28Q
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCCBPRi4sehJTrj0oRAr5XAJ0dXN3JdGGB45RLsUWpTZSyamqg5gCfagBd
+ZfqDtLsQZF5CZABo1IGrnw=
=DsXq
-----END PGP SIGNATURE-----

--Q68bSM7Ycu6FN28Q--